Credit Cards Articles You Can Use Payment Card Industry Data Security Standard (PCI DSS) - someone else's problem ?
Run Your Business Smarter and Make More Money
Sign up for my free monthly FocalPoint business coaching e-newsletter and tap into the thinking of some of America's top business coaches and the internationally prominent best selling author, business consultant and coach, Brian Tracy.
Ideas and new insights are the fuel that helps you head off problems before they mushroom, improve your operation, market smarter, sell better and realize more profit. Each issue has 7-10 articles exploring new legislation's impact on your company, proven strategies for growth, new and innovative products you can use in your business to cut costs and ways you can quickly improve results.
View the latest copy and subscribe, it's absolutely 100% FREE and we never rent or provide your name to others. 
Payment Card Industry Data Security Standard (PCI DSS) - someone else's problem ?
It seems like every second day we hear about another security breach or data compromise involving usually tens of thousands of card numbers and often additional and even more sensitive information which if used in conjunction with the card number can result in serious financial loss and reputational damage to the compromised party.
Globally, it is evident that data compromises are becoming more widespread and entities which considered themselves too small for fraudsters to notice are now regrettably become victims of data theft. The notion that this was something that only happens to the TJ Maxx's of this world, can now be filed under "Myths of our time"
If huge corporations like TJ Maxx and Hannafords are struggling to protect transactional data from compromise with all the IT Security resources they have at their disposal how can small privately owned businesses be expected to do so?
Since 2005, the Card Schemes (Visa. Mastercard, Amex, Diners and JCB) have laid out a mandatory standard called Payment Card Industry Data Security Standard or PCI DSS for short.
Let's try to deal with some of most common reactions from businesses who accept credit cards when they hear about PCI DSS.
Have not heard anything about it – its not my problem.
It is very true that PCI DSS has received little or no publicity outside of the United States but compliance with the standard is mandatory for any entity (from a corner shop or small e-commerce site, right up to a multinational merchant) which stores, processes or transmits card data to comply with the standard. IT MOST CERTAINTLY IS YOUR PROBLEM IF THE DATA IS DISCLOSED
So what if I don't comply?
Mastercard and Visa have published schedules of fines for merchants who are non-compliant and a further set of penalties for merchants who experience a compromise of Credit Card Data. In summary, depending on merchant size, fines for non-conformity can start at €5000 and in the case of Visa can be levied on a monthly basis starting at €5000 per month and escalating to €25000 per month, if non-conformity persists.
Fines applying to merchants who are compromised for Mastercard start at $100,000 (or local curency equivalent) per incident, $25 (or local currency equivalent) per card number disclosed and the cost of the forensic investigation will also be levied.
For Visa, fines for merchants who are compromised start at €25,000 and can go as high as €750,000 depending on the number of card numbers disclosed. Additional fines may also be applied if merchants are found to be storing “sensitive authentication data” at the time of the compromise (card track data, CVV/CVC values or PIN numbers).
On top of the fines, if you experience a data compromise it is also possible that your bank will terminate your card acceptance.
Where do I start?
Any business which handles, stores or processes card details needs to be aware that it must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of the volumes of transactions it handles. The full standard is available for download through the following link http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
I have read the standard and I'm unclear how this applies to my business.
If you don't understand how to validate your compliance with the standard you can avail of a free validation requirements assessment tool at the following link: http://www.o-cgroup.com/pci-merchants.shtml
This tool will help you identify what you have to do to validate compliance. For most merchants except those handling in excess of 6 million transactions per card scheme per annum this involves completing a self assessment questionnaire and where they have a web presence having a scan of their IP addresses at least quarterly.
It all seems so complicated and sounds costly.
The vast majority of smaller merchants can achieve compliance without incurring major cost. Many merchants can greatly simplify the measures necessary to achieve compliance by not storing card data at all once a transaction has been authorised.
When using service providers to deliver aspects of your commerce solution make sure you include a clause in the contract which requires that service provider to maintain compliance with the PCIDSS
Where do I start?
All merchants have to complete a self assessment questionnaire and practically all merchants require to perform IP address scanning of their web environment.
Currently O-C Group are offering a FREE TRIAL scanning service and a consultation on the scan results. You can register for this at: http://www.o-cgroup.com/freescan-offer.php